Taming the data demons: leveraging information in the age of risk white paper
Upcoming SlideShare
Loading in...5

Taming the data demons: leveraging information in the age of risk white paper



There is no getting around it, if a business today loses accessto its data, it is soon out of business. There are many reasonswhy an organization could find its access to reliable, securedata ...

There is no getting around it, if a business today loses accessto its data, it is soon out of business. There are many reasonswhy an organization could find its access to reliable, securedata compromised—everything from a missing laptop to acorporate merger to a hurricane (see Figure 1). Then there are the legal and compliance requirements. In fact, many
organizations that never previously considered themselves tobe potential targets for hackers, or maintainers of sensitivecustomer data, now find themselves every bit as responsiblefor compliance as banks, hospitals and other traditional sub-jects of compliance regulations.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Taming the data demons: leveraging information in the age of risk white paper Taming the data demons: leveraging information in the age of risk white paper Document Transcript

    • IBM Global Technology Services September 2010Thought Leadership White PaperTaming the data demons: leveraginginformation in the age of risk
    • 2 Taming the data demons: leveraging information in the age of riskContents identify these downside risks ahead of time, accurately evaluat- ing their effect on the business, and putting processes and 2 Introduction safeguards in place to mitigate them. This is true of every type 3 Data risk management defined of risk an organization faces—business-driven, event-driven and, especially, data-driven risk. 4 Meeting the unrealized need With data being the new world currency, and the cost of 4 Yesterday’s data risk management—saying “no” maintaining and protecting that data running exponentially 5 Today’s data risk management—saying “yes” higher than the cost to capture it in the first place, data risk management is assuming a new importance among IT and 5 It starts with governance line-of-business executives alike. 6 The trouble with silos It may not be enough, however, to simply assign data risk 6 The shortest distance between data and its safety management a new level of importance. A new point-of-view 7 Data on the move may be required, as well. A holistic point-of-view that makes data risk management an integral part of both enterprise- 9 Holistic has its benefits wide data polices and business strategies. A point-of-view that has the potential to deliver lower cost, faster return on 9 IBM can help investment, better compliance and a more flexible and resilient12 For more information organization.Introduction This white paper explores the framework and advantages of a holistic approach to data risk management, and provides bothInnovative companies understand that risk is essential to IT and line-of-business executives with the “why” and “how”growing a business. Every initiative that has the potential to to begin putting a holistic data risk management program tobreak new ground, open up new markets or extend a competi- work in organizations large and small.tive advantage also has a potential downside. The key is to
    • IBM Global Technology Service 3Data risk management defined organizations that never previously considered themselves toThere is no getting around it, if a business today loses access be potential targets for hackers, or maintainers of sensitiveto its data, it is soon out of business. There are many reasons customer data, now find themselves every bit as responsiblewhy an organization could find its access to reliable, secure for compliance as banks, hospitals and other traditional sub-data compromised—everything from a missing laptop to a jects of compliance regulations.corporate merger to a hurricane (see Figure 1). Then thereare the legal and compliance requirements. In fact, many IT security 78% Hardware and system malfunction 63% Power failure 50% Physical security 40% Theft 28% Product quality issues 25% Federal compliance issues 22% Natural disaster 17% E-discovery requests 13% Supply chain breakdown 11% Terrorism activity 6% Source: 2010 IBM Global IT Risk StudyFigure 1: Today’s organizations face a wide range of risk issues, almost all of which have an impact on that organization’s data.
    • 4 Taming the data demons: leveraging information in the age of riskIt is more important than ever that data Many organizations simply do not realize the positive role data risk management can play in their efforts to make cost-risk management processes be part of an and business-effective use of their data. Efficient data riskintegrated whole. management not only leverages IT’s enterprise-wide view of the business and its data to create a more complete picture ofData risk management provides the methodology by which all the data, its value and its risk issues—it can bring to light new,data risks—internal and external, IT- and business-related— more responsible, more profitable ways of capturing, storingare identified, qualified, avoided, accepted, mitigated or and delivering that data for business advantage.transferred out. In today’s global marketplace, where multiplelocations and a blend of in-house and vendor solutions must Most organizations do not realize the posi-work together instantly and seamlessly, it is more importantthan ever that an organization’s data risk management tive role data risk management can play inprocesses and procedures be part of a coordinated and well- their business strategies.thought-out whole. In this way, the complete risk picture ofevery type of data an organization possesses can be accurately Yesterday’s data risk management—assessed over its entire lifespan; negative risks can be mitigatedand positive risks can be leveraged for business gain. saying “no” Up to now, most organizations’ approach to data risk manage- ment has been reactive. Focus has been on negative risks suchMeeting the unrealized need as hacking, theft and data system failure. The response hasData is not just growing, it is exploding. According to IDC, been to say “no”—to severely limit access to data, build heftyorganizations are facing, on average, 50 to 60 percent average firewalls and deal with each new threat as it is exposed, oftendata growth.1 And for every $1 spent creating data, another at great expense to both the data systems and the business.$10 to $12 may be required to manage that data. With all thisdata, and all this money being spent on creating and maintain-ing it, it only makes smart business sense to strive for maxi- No one in the organization may have anmum return for that money. Not to mention reducing the cost accurate picture of data’s business value.wherever possible.
    • IBM Global Technology Service 5Mitigating negative risk is important, but risk avoidance is Holistic data risk management is aboutonly one half of robust data risk management. Unlockingthe opportunity inherent in positive risk is the other half. saying a protected and measured “yes.”Unfortunately, positive risk is hard to see behind the silos.Data risks have been traditionally compartmentalized into silo It starts with governancecategories such as availability, access security and disaster Governance is where holistic data risk management begins,recovery. The data itself is also often compartmentalized by and what separates it from traditional, reactive risk manage-department and data type. What this means is that no one in ment. Good governance builds the data risk policies andthe organization has a complete picture of where the data is, procedures into business systems and processes as they arehow and when it is being used, and what its business value created and implemented—making data risk managementtruly is. As a result, most organizations’ data risk efforts are more robust while remaining virtually transparent to userssimply reactive cost centers rather than proactive value inside and outside the organization.creators. Robust governance helps assure that there isToday’s data risk management—saying “yes” a proactive approach to current and futureTruly effective, holistic data risk management is not primarily data risks.a data issue or a risk issue; it is a management issue. Holisticdata risk management takes a business-oriented approach, Data risk governance is like a guidebook everyone refers to inlooking first at the business processes, then at the related order to be sure they are all on the same page. It provides thedata—assigning positive and negative risk evaluations based on policies, controls and operational guidelines that enable risk-use of the data across the organization and between the organ- responsible individuals throughout the organization to thor-ization and its customers, partners and vendors. Holistic data oughly and correctly assign risk type and severity to data andrisk management is about saying a measured, protected and its related systems and processes and either leverage or miti-well-planned “yes” to new opportunities, new markets and gate that risk.new competitive postures.
    • 6 Taming the data demons: leveraging information in the age of riskAn effective data risk governance policy helps drive business Data silos are not the only ones that need to be addressed in avalue through its ability to: good data risk management plan. There are also risk silos, such as availability, data security, access security and disaster● Increase compliance and regulatory adherence recovery. In the 2010 IBM Global IT Risk Study, 47 percent● Enhance business intelligence capabilities of the respondents reported that even risk planning itself hap-● Facilitate alignment of IT data initiatives and business pens in silos. These risk silos have traditionally been consid- strategies, including management of business and IT growth ered distinct disciplines but now need to be brought together● Improve ability to measure, monitor and improve business to give a more accurate and complete risk picture. performance● Reduce complexity to help improve business flexibility and By breaking down the barriers that have traditionally defined accelerate strategic initiatives. data use, not to mention business processes and strategic planning, holistic data risk management can serve as both aThe trouble with silos proving ground for more extensive organizational risk man-To drive up the value of data risk management initiatives, agement changes and a source of new inspiration for every-organizations have to drive out complexity—and that means thing from corporate structure to new products and services.silos. Getting rid of as many data silos as possible is a goodfirst step. Some of those data silos are obvious, such as the The shortest distance between data and its safetydata that is stored separately by each department and internal A straight line is, of course, the shortest distance between twoversus externally created data. Some silos are not so obvious, points. The more often the lines that connect data to othersuch as those that separate structured data such as order forms data, people and places can be straightened, the more effi-and inventory tracking from unstructured data such as e-mails ciently data risk can be managed. One way to straightenand corporate correspondence. out—and optimize—data lines is by eliminating redundancy. The more often the same data is repeated throughout an organization’s systems, the greater the risk that it can becomeData silos are not the only barriers that corrupted, accessed inappropriately or updated inconsistently.need to be eliminated in effective data riskmanagement—consider business silos, evenrisk silos.
    • IBM Global Technology Service 7Accurate, ongoing prioritization of data second state—data on the move—to add new access points that reflect the changing nature of the workplace and to pro-is crucial to effective, efficient data risk tect those access points from exploitation.management. Holistic data risk management addressesPrioritization is another important optimization technique.Without it, an organization has no way of knowing how the risk inherent in all data states—at rest,mission-critical any specific piece or type of data is. As a in motion and in use.result, many organizations seek to protect all data as if it weremission-critical, resulting in much higher-than-necessary risk Virtual private networks, remote access, smartphones, evenmanagement costs. Other organizations pursue lower costs by iPods have now become mainstream business tools, andassigning all data middle-of-the-road protection, leaving their technologies such as cloud computing are coming on quickly.truly critical data painfully exposed. When an organization Traditional data risk management, with its emphasis onassigns data a relative priority that is based on a thorough limiting access and locking down data, has simply lockedunderstanding of what the data is, how and where it is used these technologies out. The 2010 IBM Global IT Risk Studyand how it contributes to business goals and the organization’s revealed that 64 percent of respondents viewed social net-bottom line—such as happens within robust data risk working tools as extremely risky/risky, for example. Thegovernance—the organization can be assured that it has problem with this approach is that as long as these technolo-adequately protected all its data in the most cost-and gies are being used, data is being created on them—data thatresource-efficient manner. is residing outside the enterprise and its security and risk management protocols. Now is the time to welcome thatData on the move data, and the technologies that create and access it, into theData is defined as being in one of three states: 1) at rest in organizational fold and take full advantage of the adaptabilitystorage, 2) in motion in the network, 3) in use on the desktop, and flexibility the technologies provide. A holistically plannedas illustrated in Figure 2. A good data risk management plan and implemented data risk management initiative can makeaddresses the risks inherent in all three states. A holistic data this possible.risk management plan takes a new and expanded look at the
    • 8 Taming the data demons: leveraging information in the age of risk Measurement of a successful holistic data risk management program can go far beyond standard metrics. Data risk management standards and practices should: Define the scope of risk analysis. Identify the business activities, Data at Data in Data in ● initiatives and supporting technologies and infrastructure rest motion use elements that will be included in the data risk management effort. ● Identify and define risks. Map each business activity to poten- tial threats and the data that could be at risk. ● Assess the likelihood of risk occurrence and level of impact. Calculate the probability and severity of an actual breachFigure 2: An organization’s data exists in one of three states at any given from the scope of business activities, resulting in an overalltime, with different risks inherent in each state. view of risk. ● Evaluate controls. Assess the quality of existing controls usedSetting the standards to prevent, detect and mitigate risks, factoring in cost versusNo good initiative is complete without establishing the means value provided.to measure its success. The same is true for a good data risk ● Assess risk and determine treatments and responses. Review risksmanagement plan. The benchmark measurements have not relative to risk appetite, then prioritize risk reduction activi-changed: service level agreements (SLAs) for availability and ties and select investments based on cost/benefit analysis.access; recovery time objectives (RTOs) and recovery point ● Implement risk reduction actions. Develop, test and implementobjectives (RPOs) for disaster recovery; labor, systems and detailed plans for risk treatment.bandwidth costs for data access; application impact for ● Provide ongoing monitoring and feedback. Continually collectsecurity. But there are other standards and practices, applica- data on threats, impacts and effectiveness of current riskble to IT risk management in general and data risk manage- management process and adjust risk action plans andment in particular, that need to be part of a holistic data risk processes accordingly.management plan. ● Address the positive side of risk. Provide a more complete risk picture by balancing the potential negative risk inherent in growth such as new offices, new servers and distributed data with the potential positives such as shortened time to market and improved customer acquisition, retention and service.
    • IBM Global Technology Service 9Holistic has its benefits ● Heightened ability to win business and maintain existingThe most immediate reasons to consider putting a holistic contracts/customersdata risk management plan into action are the monetary ones. ● New capabilities to innovate and drive competitive solutionsA holistic approach to data risk management can help trans- ● Easier assimilation of acquisitions and mergersform an organization’s risk-related activities from a cost center ● New responsiveness to customer requests and feedbackto a value center by: ● New solutions to help grow market share.● Delivering considerable savings over traditional data IBM can help risk management efforts—sometimes as much as 20 to IBM’s holistic view of data risk management—and the prod- 30 percent ucts and services that make that view a reality for our clients—● Helping to avoid contractual, industry and regulatory is part of the IBM Security Framework, a combination of penalties model and methodology that is optimized to allow organiza-● Creating and maintaining one set of processes, leading to tions to understand core business processes, the threats and reduced redundancies compared to traditional data risk vulnerabilities associated with the processes and the ability to management efforts make viable recommendations for the whole.● Helping to enable new revenue streams● Allowing for faster market rollout of new initiatives, prod- The IBM Security Framework encompasses: ucts and services. 1. People and identity 2. Data and informationPotential benefits to holistic data risk man- 3. Application and processagement include faster time to market and 4. Network, server and endpointa new responsiveness to customer requests. 5. Physical infrastructure.There are additional benefits to holistic data risk managementthat go beyond immediate cost savings. These can include:● Smoother expansion into new markets● The ability to take on new global partners safely and securely expand relationships with existing partners
    • 10 Taming the data demons: leveraging information in the age of risk By placing its data risk management solution within this framework, an organization can be assured that an extensive IBM Security Framework knowledge of best practices, proven expertise and global reach have been fully leveraged for its benefit. The organization will also know that its data risk management solution has the abil- SECURITY GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE ity to fit together with other framework security solutions across the enterprise. PEOPLE AND IDENTITY Utilizing the IBM Security Framework, DATA AND INFORMATION organizations can implement holistic data risk management at the speed and scope APPLICATION AND PROCESS that matches their needs. NETWORK, SERVER AND END POINT Individual IBM data risk management solutions have been designed to help organizations qualify risk, forecast in a more PHYSICAL INFRASTRUCTURE proactive manner and establish controls to mitigate exposures. Using a highly modular approach, organizations can imple- ment the process areas that can help generate the greatest Common Policy, Event Handling and Reporting value today and then add others as needs change. Professional Managed Hardware services services and software IBM’s holistic approach to data risk management also includes access to extensive industry knowledge and industry-specific solutions that cover important data risk areas such as PCI compliance and remote data protection.Figure 3: The IBM Security Framework provides a risk model, methodol-ogy and links to a robust portfolio of data risk management solutions.
    • Notes
    • For more informationIf you and your organization would like to learn more aboutthe holistic approach to data risk management, what thisapproach can do for your organization and how IBM can helpyou achieve its full benefits, please contact your IBM market-ing representative or IBM Business Partner, or visit the fol- © Copyright IBM Corporation 2010lowing website: ibm.com/smarterplanet/security IBM Global Services Route 100 Somers, NY 10589To obtain a copy of the 2010 IBM Global IT Risk Study, visit: U.S.A.ibm.com/services/riskstudy Produced in the United States of America September 2010About the contributors All Rights ReservedKavita Chavda, IBM Global Technology Services IBM, the IBM logo and ibm.com are trademarks of InternationalRich Cocchiara, IBM Business Continuity and Business Machines Corporation in the United States, other countries orResiliency Services both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), theseMark Ernest, IBM Global Technology Services symbols indicate U.S. registered or common law trademarks owned byJohn R. Foley, Jr., IBM Software Group IBM at the time this information was published. Such trademarks mayKristin Lovejoy, IBM Security Strategy also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at “Copyright andPerry Swenson, IBM Software Group trademark information” at ibm.com/legal/copytrade.shtmlRichard Vining, IBM Software Group iPod is a trademark of Apple Inc., registered in the U.S. and other countries. Other company, product or service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. 1 MARKET ANALYSIS: Worldwide Data Protection and Recovery Software 2010 – 2014 Forecast: Cloud, Deduplication, and Virtualization Stabilize Market, Robert Amatruda, IDC, Doc. #24526, August 2010. Please Recycle RLW03001-USEN-00